[c-nsp] Best practice to put a DNS server at same lan segment as
main internet gateway
Gert Doering
gert at greenie.muc.de
Thu Jun 23 18:12:08 EDT 2005
Hi,
On Wed, Jun 22, 2005 at 09:07:53PM +0200, nevot wrote:
> 2005/6/22, Gert Doering <gert at greenie.muc.de>:
> > On Tue, Jun 21, 2005 at 04:54:58PM -0400, cisco at confluence.com wrote:
> > > What ever happened to having a server that is not only hardened at the OS
> > > level, but also on a DMZ with publicly reachable (non-NATed) address space
> > > that is behind a stateful firewall?
> >
> > A *stateful* firewall for *DNS* is asking for trouble.
>
> can you explain this?
Building and destroying session state is CPU intensive, and error prone
("how do you know that the DNS 'session' is finished?") - and doesn't do
you much good anyway on a stateless protocol...
A simple packet filter is what you want: permit UDP/53 and TCP/53 in, if
you do recursive DNS, permit packets coming *from* UDP/53 and TCP/53
(+established), and drop the rest.
In addition, standard server hardening rules apply: don't run
unneccessary services, make sure your DNS software is up to date, etc.
These very simple filters will get you all protection a firewall can
give you, but will avoid extra complexity that you don't need, and
that will always come around and bite you.
gert
--
Gert Doering
Mobile communications ... right now writing from * Isola dei Gabbiani *
More information about the cisco-nsp
mailing list